 The the web system allows faculty members to change grades. So before we do the attack I'll just show you how I can log in I can log in as Steve and You've seen you know my password you stole it from the previous attack and I can view the grades of some student For example this student with ITS 335 as an a if I select that student I can change the grade Okay, so this is the normal feature of the website. It allows the admin or the faculty member to change grades Let's give them an F So select the student that you want to look at you may type in the course code If you click on their ID so currently they have a B plus I may change the grade to say an F So I've done it for both students or a D in this case So that's the normal feature the the faculty member can change grades Students should not be able to change grades and if you do it normally as a student you'll find you cannot change the grades We'll not test that but what we'd like as a student is to Get the grades change without being logged in as a faculty member Can the student change the grades and we'll do what's called a cross-site request forgery attack to do so Let's just view the grades Just to check confirm. So this student has a B for CSS 322 C for ITS 3332 3 and an F for the other one. Let's give them an F for everything They're not so good Okay, so that student has F's for all courses Now I'm currently logged in as the the faculty user Steve Someone sells me while I'm logged in and marking students Someone sends me an email with a link to another website which offers some interesting things some free stuff I don't have the email, but they told me the URL I'll open it up is free stuff Com free stuff Someone sent a link to this and I like free stuff. So I visit the website Okay, it offers free stuff. So let's say this is a website that has many different Things that are interesting to me. So I visited that fine Now I better go back to marking. I Need to finish grading. So I go back to grading and just check and view the grades Mr. Four there What's happened student This student now has an a for ITS 335 So this is what we call a cross-site request forgery and it in Involves Several aspects it involved while I was logged in to the the normal website. I Visited another website free stuff. For example, the malicious user tricked me into visiting this website They they sent me an email or tell me a link to this website Which offers things for free or something that I'm interested in and I go there While I'm also logged in in another tab into the my uni website Now let's look at this free stuff website Let's look at the source code If you look at the source code, it actually contains an image in there, but the size of the image is zero So there's an image, but it's it's not viewable that's to hide it from the normal user and That image the way that the images work with your web browser is that when there's a link to an image your web browser Will automatically download it it clicks on this link Look at the link it goes to the real my uni website and it Executes or it visits the URL that updates the grade For that user for the course ITS 335 it sets the new grade to a That is the normal way to update a grade by this URL but it only works if you're logged in as the user Steve if a Student who's logged in as their their normal user tries to visit visit this URL. It will not work But my web browser is currently logged in as Steve on the other tab and the cookie That identifies me is still sent and the cookie when my web browser visits this image it sends the cookie for the domain www.myuni.edu and the My uni website Receives the cookie from user Steve Therefore it executes the update of grade and it changes the user's grade to an A without me knowing Right, I know now because I see it in the grades, but in what can happen here is now that okay a student Who cannot log in and change their grade if they can trick me to visit a website which has a link to the URL that does change the grade while I'm currently logged in then they can get the grade change it in this case So involved this fake website, which was node 5 in our case Set up with a hidden link to change the grade and it worked in that case In this case the hidden link was in a zero-sized image There are other ways to do that as well. It's called a cross site request for dre There's a request sent to a different site so the cross sites and the request really is a request to the my uni site and It has the correct domain so that the cookie which logs me in is attached in that request So this is another attack which is quite prominent and if we return to our Lecture slides wherever it is Where does it fit CSRF Cross site request for dre in number eight here it involves that you're logged in as the the normal application the normal website and Another website the attacker has another website with a link to the normal one hidden from the user And they get the the victim to visit that site while logged in So it requires me to log in at this be logged in at the same time but visit a different website and That if it's not implemented correctly it allows the attacker to execute something that they couldn't There are ways to prevent that In every request make sure that there's some token included that is is unique and unpredictable So that the attacker cannot create such a link that will work the web server will check the link And make sure that the information is not in the URL But is in a post request so you can implement your browser your application to avoid such attacks But some people will not